Hello,

I am using CISCO ASA 5585.

While most of the users could browse one particular website few cannot.

I captured the packets against the solution provided for "MSS Exceeded" but didn't find any packets captured against the match. So, the problem might not be pertaining to this.

I used packet tracer and found that it is being dropped due to some access-list configuration, though no implicit rule was shown in the context.

The relevant output for it is produced below:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdae3ab750, priority=500, domain=permit, deny=true
    hits=6, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=any

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Now I don't know how to troubleshoot the problem. This is a pressing problem as the concerned site is one of the most sought after portal for my users. The website is working fine outside the firewall.

Thank you,

Vivek